Security expert Robert Graham ruled that the blackouts of 2005 and 2007 were caused by hackers, but warned that attackers could, yeah, cause blackouts - and without much difficulty, because the energy companies themselves do not know of the problems in your network computer s. These alleged attacks were disclosed by the network of U.S. television CBS on "60 Minutes" earlier this month.
The ONS confirmed on Monday afternoon (16) which suffered its corporate network hacked late on Thursday. However, it ruled that the blackout that hit 18 states on Tuesday (10) was caused by computer hacking. The ONS quotes the Ministry of Mines and Energy, which reconfirmed that the blackout was caused by short circuit .
Robert Graham heard by the G1, is founder and CEO of security firm Errata Security. Specialist in security analysis, it performs penetration testing (pen-tests), a kind of "hacking" authorized by the companies to verify the security of the network itself. Graham has extensive experience in the electricity sector and, in 2006, lectured on the subject in the Black Hat security conference, one of the most important in the world, as part of the research team X-Force at Internet Security Systems (ISS), now part of giant IBM.
Contestation
In response to what was said by "60 Minutes," Graham wrote in his blog : "as a pen-tester, I know that [the grid North American] is insecure. I safety assessment of energy companies. I know I can hack the Internet and cause blackouts. "
Despite the vulnerability , Robert Graham does not believe that blackouts were caused by hackers. To substantiate the allegation that Brazil would have been attacked, "60 minutes" referenced intelligence officers and the army in the United States. These sources, anonymous, fails to convince the expert.
"I have had many experiences with U.S. intelligence agencies. They tend to distort any rumor related to hackers, have an extreme paranoia and will easily be considered as 'fact' things for which there is little or no evidence, "says Graham. "In other areas they do a good job of distinguishing fact and fiction, but it seems like everything that involves hacking scares them."
The specialist does not believe that the lack of electrical networks is a big problem. "There is a risk. Hackers will eventually cause a major blackout. In the grand scheme of things, however, is not so important. Blackouts caused by accidental errors will always be a bigger threat. Member nations exploding transmission lines, pump, always will be a greater threat. Regulatory poor will always be a bigger threat, "he wrote in his blog.
Graham believes that the story of the "60 minutes" is just "propaganda" to sell the idea that the electrical system requires more government intervention to increase their security - which, he said, will not solve the problem.
Vulnerability
Photo: Reproduction
Example of the graphical interface of a SCADA system. (Photo: Reproduction)
In an interview with G1, the specialist said he did not believe that attacks on the electrical system happen. And says he has no idea why it does not happen. "I do many tests, and sometimes I'm very surprised that my client has not been hacked," he says. Like other basic services such as water and gas, electricity abastamento is monitored and controlled by systems known as SCADA (Supervisory Control and Data Acquisition or "Systems Monitoring and Data Acquisition").
For businesses, the SCADA is always isolated from the Internet or other networks, which would prevent external attacks. In the experience of the specialist, this is not the case.
Although the experience of Graham is in the United States, there is no reason to believe that the situation is very different in Brazil - including some of the control systems used there are also used here. The speech made by an expert on Black Hat account of several cases where the client - in this case, an energy company - said he was safe because the SCADA network was isolated. Graham proved the contrary, often a simple accessing open wireless network, and finding systems that made the bridge between the networks.
In one case, the computer that connected to the network control system can be compromised with a gap of ten years ago. The computer was never updated.
This is because the characteristics of a SCADA system is that by being part of critical infrastructure, they are rarely updated. "So you can see all kinds of equipment computer stranger, who was installed 20 years ago and never moved, "says the expert. He said the systems that control computers running Windows 95 are "common".
Sometimes specific equipment are used for the task. They are even more insecure than traditional computers, but the fact that they are difficult custom attacks. Unfortunately, the hacker can get information on the company's own network.
"In theory, the hacker would need inside knowledge. In practice, the manuals are on the internet and you can buy cheap discarded equipment on eBay. In our experience, the information is needed on the computers in the corporate network. Then, once we got there, we have all the information to hack into the control network, "says the expert.
The belief that these are isolated systems also leads them to use a weak or null authentication. The challenge is due to arrive in the control network, since the system itself is not secure.
Another misconception, Graham warns, is that criminals can not obtain information about SCADA. In fact, suppliers of such technology provide various data about them in the Internet. In addition, marketing materials with "success stories" reveal what system is used by some suppliers of energy. This public document of the General Electric, for example, reveals that the state Hydroelectric Company of São Francisco (CHESF) makes use of a monitoring product called Universal Relay .
